rupali
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: openclaw-sarvam-girlfriend Version: 1.0.0 The skill bundle is benign. The `SKILL.md` clearly outlines the purpose of a virtual girlfriend voice companion and instructs the AI agent to use `scripts/bulbul_tts.py` to synthesize audio. The Python script `scripts/bulbul_tts.py` legitimately retrieves a `SARVAM_API_KEY` from environment variables and uses it to make a POST request to `https://api.sarvam.ai/text-to-speech/stream`, saving the audio response to a local file. There is no evidence of data exfiltration to unauthorized endpoints, malicious execution, persistence mechanisms, or prompt injection attempts to subvert the agent's intended behavior beyond its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use the configured Sarvam account/API quota to synthesize audio.
The skill needs a Sarvam API credential to perform text-to-speech. This is purpose-aligned, but users should know an external service credential is required despite the registry metadata listing no required environment variables.
Requires `SARVAM_API_KEY` in environment.
Use a dedicated Sarvam API key if possible, keep it scoped/rotatable, and monitor provider usage.
Anything included in the generated voice reply may be transmitted to Sarvam for audio generation.
The text selected for synthesis is sent to Sarvam's external TTS endpoint. This matches the skill's purpose, but it is still a third-party data flow.
API_URL = "https://api.sarvam.ai/text-to-speech/stream" ... payload = { "text": text, ... }Avoid using this skill for private or sensitive content unless that provider data flow is acceptable.
Installation or execution may fail if the runtime does not already include the dependency, and the registry metadata does not fully describe setup needs.
The helper depends on the Python requests package while the supplied install specifications say there is no install spec. This is a minor dependency/setup declaration gap, not evidence of malicious code.
import requests
Confirm the runtime has the required Python dependency and that the Sarvam API key is intentionally configured before use.